ASA 8.4 NAT question

So far this is just in theory and I have never tried it but I was wondering if this is possible.

If there are multiple VLAN's on the ASA such as:

192.168.10.0/24

192.168.11.0/24

192.168.12.0/24

192.168.13.0/24

And I setup a site to site VPN to lets say 192.168.12.0/24, 192.168.13.0/24. Now the thing is that from the remote location these two networks only need to access 192.168.10.0/24 from the above main location. So the traffic definitely needs to be NAT'ed from the remotes hitting the main location. But is it possible to do NAT on the main location like this instead:

Re: ASA 8.4 NAT question

Yes so the two sites have overlapping networks. Now normally in a situation like this I know I can just simply do a NAT at the remote location. But in this case I wanted to see if is it possible to do a NAT at the main corporate location instead for the VPN traffic coming in ?

Re: ASA 8.4 NAT question

Hi,

This was actually a question that has been asked here every now and then. I never really got myself around to test this until now.

I was originally skeptical if this could work. Mainly because of the fact that the NAT configuration would be applied first. This would mean that the destination IP address after the destination UN-NAT has been done would actually be the overlapping network.

This would mean that the interesting traffic defining ACL should use the Local Mapped address as the source and the Remote Real address as the destination. Because the source address is translated and the destination address is untranslated before the VPN negotiation takes place.

So I tested this configuration with an actual L2L VPN setup between my 2 ASA firewalls. Both had one overlapping network on them.

So the key thing to notice from the MAIN ASA configurations is that we NAT both the source and the destination IP address. This translation happens before any VPN Phase happens and therefore the actual source for the VPN Tunnel is LOCAL-MAPPED and the destination is REMOTE-REAL. So these network have to be in the L2L VPN interesting traffic defining ACL.

So the configuration is basically telling the ASA to tunnel traffic destined to the network that is located both at the MAIN ASA and at the REMOTE ASA.

However, we can confirm that an ICMP from a local computer behind MAIN ASA to the interface IP address of REMOTE ASA goes through the VPN rather than going to the directly to the WLAN interface. (Notice that we are naturally using the MAPPED address as the destination for our ICMP)

Below command prompt shows us that the connectivity exists

Below output of "show crypto ipsec sa" from MAIN ASA shows us that the traffic went through the L2L VPN. One of the ICMP Echos doesnt receive a reply as it only brings up the L2L VPN (and times out) but the rest of the 3 go through

Also a "packet-tracer" output from the MAIN ASA and an actual ICMP shows us that the local traffic to this overlapping network remains unchanged.

ASA# sh arp | inc WLAN

WLAN 10.0.255.15 60fe.c588.52f3 16

ASA# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.15 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.255.0 255.255.255.0 WLAN

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1325243, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WLAN

output-status: up

output-line-status: up

Action: allow

Hope this helps

The NAT in my setup is done a bit differently. Its simply done from local to remote interface and NAT is done both for source and destination. Your configuration used the other direction (which would pretty much do the same) although it missed the last "object" from the end of the command.

Please do remember to mark a reply as the correct answer if it answered your question.

ASA 8.4 NAT question

Hi,

Ah right, I guess you dont really need to NAT the LOCAL network in this situation as there is no overlap with it and the REMOTE networks.

With regards to the actual REMOTE sites NAT configurations. You still have to follow the basic step of configuring NAT for L2L VPN Connection. You will most likely have a Dynamic PAT rule on the REMOTE sites that would be applied if you didnt configure NAT0 line in my above example.

So the NAT0 in this case for the REMOTE site is required. Only situation where I could see that you wouldnt need any NAT configurations is when you actually didnt have any kind of NAT configurations on the device to beging with. Then traffic would be flowing wihtout NAT just fine.

Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
view more

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more